When negotiating the connection with the server, your TLS library, let's assume openSSL, is going to tell the server what your maximum supported version is. The server will then choose a version that it, and the client both support. So, assuming your client system supports TLS1.2 there is probably no action required on your part.
TLS 1.2 support was added to OpenSSL in 1.0.1. If you are on el6 or newer and update your packages you should be fine. Check your version like so:
# openssl version
> OpenSSL 1.0.2k-fips 26 Jan 2017
You can check what protocols/ciphers a server supports with this nmap command:
nmap --script ssl-enum-ciphers -p 443 stackoverflow.com
Now, if you want to test a failure when using TLS1.1, or force a cipher or something, you will need to use PHP's stream_context_create
.
With the code below you can force use of TLS1.2 by setting the crypto_method
to
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
. Or, perhaps more useful towards what you are asking, you could test the failure when forcing use of STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT
.
<?php
$options = ['trace' => 1,
'soap_version' => SOAP_1_2,
'exceptions' => true,
'location' => 'https://stackoverflow.com/foo',
'uri' => "https://stackoverflow.com/bar",
'stream_context' => stream_context_create([
'ssl'=> [
'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
'ciphers' => 'SHA256'
]
])];
$client = new SoapClient(null, $options);
try {
$response = $client->getFoo();
} catch (\Exception $e){
var_dump($client->__getLastRequest());
var_dump($client->__getLastResponse());
throw $e;
}
//OR, an even easier test with out a Soap Client...
$opts = [
'ssl'=> [
'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
'ciphers' => 'SHA256',
'verify_peer' => false,
'verify_peer_name' => false
]
];
$context = stream_context_create($opts);
$fp = fopen('https://stackoverflow.com', 'r', false, $context);
If things work with 1.2 and you can generate an error forcing say 1.1 then you can be pretty confident things are setup fine. Errors would be along the lines of:
Warning: fopen(): SSL operation failed with code 1. OpenSSL Error
messages: error:140830B5:SSL routines:ssl3_client_hello:no ciphers
available
fopen(): Failed to enable crypto
When talking about SOAP version 1.1 vs 1.2 those are just different W3C standards for the Simple Object Access Protocol. More on some of the differences can be found here.
I will just say in closing I've not tested this in PHP 5.5, that is such an old version that these days I don't have an easy way to spin it up. Think this would all still be applicable however.